CVE-2012-3446

CWE-295Improper Certificate ValidationCWE-185CWE-20Improper Input Validation8 documents6 sources
Severity
5.9MEDIUM
EPSS
0.3%
top 43.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Libcloud
Timeline
PublishedNov 4
Latest updateMay 17

Description

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

NVDapache/libcloud< 0.11.0
PyPIapache-libcloud< 0.11.1
Debianlibcloud< 0.5.0-1.1+3

🔴Vulnerability Details

4
GHSA
Apache Libcloud vulnerable to certificate impersonation2022-05-17
OSV
Apache Libcloud vulnerable to certificate impersonation2022-05-17
CVEList
CVE-2012-3446: Apache Libcloud before 02012-11-04
OSV
CVE-2012-3446: Apache Libcloud before 02012-11-04

📋Vendor Advisories

1
Debian
CVE-2012-3446: libcloud - Apache Libcloud before 0.11.1 uses an incorrect regular expression during verifi...2012

💬Community

2
Bugzilla
CVE-2012-3446 libcloud: possible SSL MITM due to invalid regexp used to validate target server hostname2012-08-03
Bugzilla
CVE-2012-3446 libcloud: possible SSL MITM due to invalid regexp used to validate target server hostname [fedora-all]2012-08-03
CVE-2012-3446 (MEDIUM CVSS 5.9) | Apache Libcloud before 0.11.1 uses | cvebase.io